Special malicious programs spy out governments and attack online shoppers. ESET publishes white papers on the latest IIS malware threats to Windows web servers.
The vulnerabilities in Microsoft Exchange worried many IT administrators at the beginning of the year. Because hackers were able to exploit Microsoft's Internet Information Services (IIS). ESET researchers have now analyzed a total of ten previously unknown malware families that were used as malicious extensions for the IIS web server. These various threats target both government mailboxes and credit card transactions in e-commerce. They can eavesdrop on and manipulate the server's communication. According to the ESET telemetry data, five IIS backdoors have spread in 2021 by exploiting the Microsoft Exchange vulnerability. The European IT security manufacturer publishes a whitepaper on WeLiveSecurity.
IIS - Internet Information Services web server
“Internet Information Services web servers are a popular target for hackers both to cause damage and to spy on victims. The modular architecture of the software offers web developers various expansion options, but is also a useful tool for attackers, ”says Zuzana Hromcová, ESET researcher and author of the white paper. “It's still pretty rare to have security software running on IIS servers. Attackers can therefore operate unnoticed for long periods of time. This should be worrying for any reputable web portal that wants to protect their visitors' data, including authentication and payment information. Companies or organizations using Outlook on the web should also be careful. The software is dependent on IIS and could be an interesting target for espionage. "
What are the malicious programs used for?
Those affected by this malware include governments in Southeast Asia and dozens of companies from various industries: mainly in Canada, Vietnam and India, but also in the USA, New Zealand, South Korea and other countries. In their analysis, ESET researchers identified five main uses for which IIS malware mainly operates:
- IIS backdoors allow attackers to remotely control the compromised computer with IIS installed.
- IIS infostealers allow hackers to intercept regular traffic between the infected server and its legitimate visitors and steal information such as login and payment information.
- IIS injectors modify HTTP responses sent to legitimate visitors to deliver malicious content.
- IIS proxies unwittingly turn the compromised server into part of the command and control infrastructure for another family of malware.
- IIS malware alters the content made available to search engines in order to manipulate search queries and improve SEO rankings for other websites of interest to the attacker.
What are Internet Information Services?
IIS is the abbreviation for Internet Information Services, a web server from Microsoft. It is not a stand-alone platform, but a service integrated in Windows. The IIS provides all functions of a web server. This enables websites to be hosted, web applications made available, and media to be streamed. This is also Microsoft's alternative to the Apache web server, which runs on Linux. IIS is also an important function for Microsoft Exchange servers.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.